Forwarded from PZM Solutions
Why partition is neccessary for your application security?
First of all, let's define what partition is and what does it stand for. PZMutator provides you an option called binary partition, with this option enabled your binary will require you to allocate several memory regions for your application instead of just one, thus the binary will be mapped on these regions: each region contains only a single page (4096 bytes) of real data (functions, pointers, constants etc), you can fill the region with random junk bytes to confuse attackers but it's up to you.
From the attacker perspective dumping your application will look like this: firstly, he needs to find all of the memory regions that your application uses; secondly, he needs to save all of these regions to binary files (note that your application may contain more than hundreds of regions depending on its real size); finally, attacker should make a database in any of dissasemblers by combining the regions to begin static analysis.
Instead of just finding region with your application and dumping it, mutated binaries with partition are much harder to dump and analyze.
We highly recommend you to turn on partition option for your project.
What is partition verification?
As you may know there's an address space in any application that is reserved for system modules only and in our case the deal is ntdll.dll. Let's get deeper into it.
First of all, we need to be aware of the algorithm of process creation: when process is spawned in usermode and main (and not any other) thread hasn't been launched yet, there's some memory regions which are reserved: the lowest region is your application's PE itself and the highest is ntdll.dll, if your application is running under x64 Windows there will be some more dlls in 64-bit space like ntdll.dll (x64), wow64.dll, wow64cpu.dll and some others...
The most known and common dump launching (cracking) technique is to break an application when it launches and allocate memory region with any (dump) base, this approach doesn't require attacker to find and manually fix all of the relocs (which is nearly impossible itself with the mutator).
To prevent your application dumps from being simply mapped into address space we've added an option which called partition verification in the mutator. With this option enabled mutator will require your clients to allocate memory regions for some of the fragments on extremely high address space. In the request with mapper data there will be additional field (int) in json object called "high_pages", this field contains the number of regions which have to be allocated with base higher than 0x77000000, to achieve this you should scan all memory starting from 0x77000000 and find spaces with no mapped modules there (1 page cave is enough for each region). Partition verification option will check if there's enough pages allocated on high memory and if not (e.g., attacker patched an application to prevent memory from allocating that high), mapping process will be aborted.
To enable both partition and partition validation you need to set these options to true in SDK while initializing the mutator.
Still need assistance and security advice? Contact us - pzm322.com
First of all, let's define what partition is and what does it stand for. PZMutator provides you an option called binary partition, with this option enabled your binary will require you to allocate several memory regions for your application instead of just one, thus the binary will be mapped on these regions: each region contains only a single page (4096 bytes) of real data (functions, pointers, constants etc), you can fill the region with random junk bytes to confuse attackers but it's up to you.
From the attacker perspective dumping your application will look like this: firstly, he needs to find all of the memory regions that your application uses; secondly, he needs to save all of these regions to binary files (note that your application may contain more than hundreds of regions depending on its real size); finally, attacker should make a database in any of dissasemblers by combining the regions to begin static analysis.
Instead of just finding region with your application and dumping it, mutated binaries with partition are much harder to dump and analyze.
We highly recommend you to turn on partition option for your project.
What is partition verification?
As you may know there's an address space in any application that is reserved for system modules only and in our case the deal is ntdll.dll. Let's get deeper into it.
First of all, we need to be aware of the algorithm of process creation: when process is spawned in usermode and main (and not any other) thread hasn't been launched yet, there's some memory regions which are reserved: the lowest region is your application's PE itself and the highest is ntdll.dll, if your application is running under x64 Windows there will be some more dlls in 64-bit space like ntdll.dll (x64), wow64.dll, wow64cpu.dll and some others...
The most known and common dump launching (cracking) technique is to break an application when it launches and allocate memory region with any (dump) base, this approach doesn't require attacker to find and manually fix all of the relocs (which is nearly impossible itself with the mutator).
To prevent your application dumps from being simply mapped into address space we've added an option which called partition verification in the mutator. With this option enabled mutator will require your clients to allocate memory regions for some of the fragments on extremely high address space. In the request with mapper data there will be additional field (int) in json object called "high_pages", this field contains the number of regions which have to be allocated with base higher than 0x77000000, to achieve this you should scan all memory starting from 0x77000000 and find spaces with no mapped modules there (1 page cave is enough for each region). Partition verification option will check if there's enough pages allocated on high memory and if not (e.g., attacker patched an application to prevent memory from allocating that high), mapping process will be aborted.
To enable both partition and partition validation you need to set these options to true in SDK while initializing the mutator.
pzm::instance->set_option< bool >( pzm::option_t::OPTION_PARTITION, true );
pzm::instance->set_option< bool >( pzm::option_t::OPTION_PARTITION_VALIDATE, true );
Still need assistance and security advice? Contact us - pzm322.com
Okay, sigma claims that neverlose devs have pasted some gamesense code and even features in neverlose.
Well, then why estk has pasted min damage and weapon groups from neverlose in most recent update??....
Well, then why estk has pasted min damage and weapon groups from neverlose in most recent update??....
not lanes
Okay, sigma claims that neverlose devs have pasted some gamesense code and even features in neverlose. Well, then why estk has pasted min damage and weapon groups from neverlose in most recent update??....
Okay, I deepened the question of pastes and found out that min damage override feature was not initially invented and developed by neverlose, the truth is that this particular feature was first seen in boynextdoorhook released by es3n1n...
I'm so sorry for spreading misinformation and apologize. Estk hasn't pasted min damage override from nl, he stole it from boynextdoorhook...
Regards.
I'm so sorry for spreading misinformation and apologize. Estk hasn't pasted min damage override from nl, he stole it from boynextdoorhook...
Regards.
What's wrong with sigma's ego? Why even some random config/script title from nl market can hurt his feelings, not to mention jokes about min damage override 🤓
I'm not even neverlose developer my brother, and it costs me nothing to boost your ego: chin up! You are the best, the hack you are working for is the best and you are a real sigma 💪
I'm not even neverlose developer my brother, and it costs me nothing to boost your ego: chin up! You are the best, the hack you are working for is the best and you are a real sigma 💪
posted this thing on my twitter yesterday but forgot that I have a telegram channel 😄
please welcome - steam_cpp, the port of steamkit written in modern C++, spent couple minutes today refactoring the code and adding couple new features
please welcome - steam_cpp, the port of steamkit written in modern C++, spent couple minutes today refactoring the code and adding couple new features
my half-vietnamese half-french friend just (literally 5 minutes ago) dropped a banger...
https://blog.es3n1n.eu/posts/obfuscator-pt-1/
https://blog.es3n1n.eu/posts/obfuscator-pt-1/
blog.es3n1n.eu
Obfuscating native code for fun: Part 1 - Introduction
In this series of posts, I will try to cover all the common knowledge you would need to create your PE bin2bin obfuscator. This year I saw a rise of interest in the topics of software obfuscation and deobfuscation, yet I didn’t see any new open-source projects…
Создатель чита Neverlose честно и откровенно про все читы. Отважный поступок. Mad respect 🫡💪
https://www.youtube.com/watch?v=uvLGIY_UEgs
https://www.youtube.com/watch?v=uvLGIY_UEgs
YouTube
Владелец чита про доходы, VACNET и CS2. Откровенное интервью.
Сделать пикем на БЛАСТ можно тут — https://cybershoke.net/pickem
Моя телега — https://t.me/shoketg
Читай новости про Counter-Strike — https://t.me/retakenews
Киберклуб CYBERSHOKE — https://instagram.com/cybershoke.kandelaki
Канал про киберспорт — https:…
Моя телега — https://t.me/shoketg
Читай новости про Counter-Strike — https://t.me/retakenews
Киберклуб CYBERSHOKE — https://instagram.com/cybershoke.kandelaki
Канал про киберспорт — https:…